KQL – Anything about IT

Users can create AzureAD tenants

Posted on22 November 202222 November 2022Leave a comment

Hello there, In this blog post we look at a new setting within the Azure AD portal. “Users can create Azure AD tenants“. Unfortunately, the setting is enabled by default. Not sure why, but I guess most organizations will want Read More …

How to analyze Microsoft Sentinel Daily Cap Alerts – AADNonInteractiveUserSignInLogs

Posted on20 May 2022Leave a comment

To avoid unplanned costs for Microsoft Sentinel, it is recommended to set a daily cap and create an analytics rule that triggers an alert when the daily cap is reached. Microsoft has published general guidance for monitoring costs here In Read More …

Detect Audit Policy Modifications with Microsoft 365 Defender

Posted on26 September 202126 September 2021Leave a comment

Hello there, In today’s blog post I want to share with you an advanced hunting query to detect audit policy modifications using Microsoft Defender 365 advanced hunting. Following the MITRE ATT&CK framework this would be T1484.001 Domain Policy Modification: Group Read More …

Use advanced hunting to Identify Defender clients with outdated definitions

Posted on25 August 20212 Comments

In an ideal world all of our devices are fully patched and the Microsoft Defender antivirus agent has the latest definition updates installed. Unfortunately reality is often different. When using Microsoft Endpoint Manager we can find devices with outdated definition Read More …

MTP Advanced Hunting – Public free E-Mail services

Posted on23 September 2020Leave a comment

Today I received an e-mail from a customer explaining to me that at times they have false positives with e-mail Impersonation. Depending on your configuration the e-mail will end up being moved to the user’s junk folder or into quarantine. Read More …

Generating Advanced hunting queries with PowerShell

Posted on11 July 202011 July 2020Leave a comment

I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below But if you Read More …

Advance your Microsoft Defender ATP hunting skills using the Atomic execution framework

Posted on5 June 20205 June 20202 Comments

Hello everyone, during the past months I took a closer look at MITRE ATT&CK to advance my hunting skills using Microsoft Defender Advanced Threat Protection. For those not familiar with MITRE ATT&CK, in short, it is a knowledge base knowledge Read More …

Microsoft Defender ATP Advanced Hunting – Who’s logging on with local admin rights?

Posted on29 October 20192 September 20209 Comments

Note: I have updated the kql queries below, but the screenshots itself still refer to the previous (old) schema names If you’re among those administrators that use Microsoft Defender Advanced Threat Protection, here’s a handy tip how to find out Read More …

Tag: KQL

Users can create AzureAD tenants

Like this:

How to analyze Microsoft Sentinel Daily Cap Alerts – AADNonInteractiveUserSignInLogs

Like this:

Detect Audit Policy Modifications with Microsoft 365 Defender

Like this:

Use advanced hunting to Identify Defender clients with outdated definitions

Like this:

MTP Advanced Hunting – Public free E-Mail services

Like this:

Generating Advanced hunting queries with PowerShell

Like this:

Advance your Microsoft Defender ATP hunting skills using the Atomic execution framework

Like this:

Microsoft Defender ATP Advanced Hunting – Who’s logging on with local admin rights?

Like this: